Active Directory Kerberos authentication
Active Directory/Kerberos (AD/Kerberos) authentication integrates BMC Server Automation with a key distribution center (KDC) to utilize the Kerberos version 5 protocol for authenticating client-tier users. AD/Kerberos authentication correlates client-tier users to identities maintained within an Active Directory domain controller rather than the central Application Server RBAC-based database.
When an Active Directory domain user chooses to authenticate using AD/Kerberos, Kerberos mediates an authentication exchange between the client (the BMC Server Automation Console or the
blcred utility) and the domain controller as well as between the client and the BMC Server Automation Authentication Service. After successfully authenticating the domain user, the Authentication Service issues the client a session credential. At that point, a BMC Server Automation client application can use that session credential to establish an authenticated secure session with the Application Server or a Network Shell Proxy Service identified by the service URLs in the session credential.
AD/Kerberos takes advantage of the Windows single-sign on functionality. A user logging into the BMC Server Automation Authentication Service authenticates with the same user credential he or she acquires when the logging into the Windows domain.
Although BMC BladeLogic Decision Support for Server Automation does not support AD/Kerberos authentication, it can authenticate AD/Kerberos users who provide a user name, domain, and password (see Domain authentication).